ALB17666 S.L.C.

115

TH

CONGRESS 1

ST

S

ESSION

 

S.

 ll

To provide minimal cybersecurity operational standards for Internet-connected devices purchased by Federal agencies, and for other purposes.

IN THE SENATE OF THE UNITED STATES

 llllllllll

Mr. W 

 ARNER

(for himself, Mr. G

 ARDNER

, Mr. W 

 YDEN

, and Mr. D

 AINES

) in-troduced the following bill; which was read twice and referred to the Com-mittee on

 llllllllll

A BILL

To provide minimal cybersecurity operational standards for Internet-connected devices purchased by Federal agen-cies, and for other purposes.

 Be it enacted by the Senate and House of Representa-

1

tives of the United States of America in Congress assembled,

2

SECTION 1. SHORT TITLE.

3

This Act may be cited as the ‘‘Internet of Things

4

(IoT) Cybersecurity Improvement Act of 2017’’.

5

SEC. 2. DEFINITIONS.

6

In this Act:

7

 

2

 ALB17666 S.L.C.

(1) D

IRECTOR

.—The term ‘‘Director’’ means

1

the Director of the Office of Management and Budg-

2

et.

3

(2) E

 XECUTIVE AGENCY 

.—The term ‘‘executive

4

agency’’ has the meaning given the term in section

5

133 of title 41, United States Code.

6

(3) F

IRMWARE

.—The term ‘‘firmware’’ means a

7

computer program and the data stored in hardware,

8

typically in read-only memory (ROM) or program-

9

mable read-only memory (PROM), such that the

10

program and data cannot be dynamically written or

11

modified during execution of the program.

12

(4) F

IXED OR HARD

-

CODED CREDENTIAL

.—The

13

term ‘‘fixed or hard-coded credential’’ means a

14

 value, such as a password, token, cryptographic key,

15

or other data element used as part of an authentica-

16

tion mechanism for granting remote access to an in-

17

formation system or its information, that is—

18

(A) established by a product vendor or

19

service provider; and

20

(B) incapable of being modified or revoked

21

 by the user or manufacturer lawfully operating

22

the information system, except via a firmware

23

 update.

24

 

3

 ALB17666 S.L.C.

(5) H

 ARDWARE

.—The term ‘‘hardware’’ means

1

the physical components of an information system.

2

(6) I

NTERNET

-

CONNECTED DEVICE

.—The term

3

‘‘Internet-connected device’’ means a physical object

4

that—

5

(A) is capable of connecting to and is in

6

regular connection with the Internet; and

7

(B) has computer processing capabilities

8

that can collect, send, or receive data.

9

(7) NIST.—The term ‘‘NIST’’ means the Na-

10

tional Institute of Standards and Technology.

11

(8) P

ROPERLY AUTHENTICATED UPDATE

.—The

12

term ‘‘properly authenticated update’’ means an up-

13

date, remediation, or technical fix to a hardware,

14

firmware, or software component issued by a prod-

15

 uct vendor or service provider used to correct par-

16

ticular problems with the component, and that, in

17

the case of software or firmware, contains some

18

method of authenticity protection, such as a digital

19

signature, so that unauthorized updates can be auto-

20

matically detected and rejected.

21

(9) S

ECURITY VULNERABILITY 

.—The term ‘‘se-

22

curity vulnerability’’ means any attribute of hard-

23

 ware, firmware, software, process, or procedure or

24

combination of 2 or more of these factors that could

25